root
/
flask
mirror of https://github.com/pallets/flask.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Added note on send_file security.

This commit is contained in:
Armin Ronacher 2010-05-12 01:02:20 +02:00
parent 5bb2b55a28
commit f80e1d3b5a
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
flask.py
View File

@ -249,6 +249,13 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False,
also explicitly provide one. For extra security you probably want
to sent certain files as attachment (HTML for instance).
Please never pass filenames to this function from user sources without
checking them first. Something like this is usually sufficient to
avoid security problems::
if '..' in filename or filename.startswith('/'):
abort(404)
.. versionadded:: 0.2
:param filename_or_fp: the filename of the file to send. This is